Improper Neutralization of Input During Web Page Generation (XSS) in the Xpro Elementor Addons plugin enables attackers to store malicious scripts that are then rendered when other users view affected pages. The injected code can be used to hijack user sessions, steal cookies, deface content, or redirect users to phishing sites. The flaw is a classic stored XSS that directly impacts the confidentiality, integrity, and availability of the web application and any users accessing vulnerable pages.

WordPress installations that have the Xpro Elementor Addons plugin installed in version 1.4.10 or earlier are affected. Security administrators should audit all WordPress sites for this plugin and note the exact plugin version to determine whether a remediation is required.

The CVSS score of 6.5 reflects a moderate severity and the EPSS score of less than 1% indicates a low exploitation probability in the current landscape. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is via the plugin’s input fields that persist user data; based on the description, it is inferred that an attacker who can add or edit content through the plugin—likely requiring authenticated access—could inject malicious code. The absence of an active exploitation record suggests no widespread active exploitation at the time of this assessment.